Splunk Search
Highlighted

Extracting values from multivalued field and merging

Engager

For example :

these are some part of my logs:

sender= xyz(receiver=a, receiver =b) 

sender= abc(receiver=a,receiver =d)

sender=xyz(receiver=a)

....more entries

And result should be something like:

sender=xyz receiver=a

sender=xyz receiver=b

sender=abc receiver=c

sender=abc receiver=d

and I am using remote button as input

So whenever i give input of receiver=a

it should give me a table like

sender = abc.       1

sender= xyz         2

Need help! To write query 😞

 

Labels (4)
0 Karma
Highlighted

Re: Extracting values from multivalued field and merging

Legend

Hi @Dhruvi ,

try something like this:

This is the first:

Your_search
| rex field=sender "^(?<my_sender>[^\(]*)"
| rex max_match=10 field=sender "receiver\s*\=(?<receiver>\w*)"
| mvexpand receiver
| table my_sender receiver

This is the second:

Your_search
| rex field=sender "^(?<my_sender>[^\(]*)"
| rex max_match=10 field=sender "receiver\s*\=(?<receiver>\w*)"
| mvexpand receiver
| stats count BY receiver

Ciao.

Giuseppe

 

 

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.